Thursday

21st Sep 2023

Analysis

What does the death of the EU data directive mean?

The EU's data retention directive was agreed in 2006, in the wake of terrorist attacks in Madrid and London in 2004 and 2005 respectively, as governments attempted to tighten national security rules.

Under the regime, telecoms companies were required to retain phone and email data for at least six months and up to two years (according to national law), for possible use in investigating and prosecuting terrorist and other serious crimes.

Read and decide

Join EUobserver today

Become an expert on Europe

Get instant access to all articles — and 20 years of archives. 14-day free trial.

... or subscribe as a group

  • The ruling by the European Court of Justice leaves rules on data retention in a state of limbo (Photo: Lee Morley)

26 of the EU's 28 member countries have applied the regime into their own national legal framework. Germany and Belgium did not.

Why does the Court say it is illegal?

Digital Rights Ireland launched a court action in 2012 against the transposition of the directive, as did 11,130 Austrian rights campaigners, both of which were referred to the EU's top court, the European Court of Justice. In its ruling yesterday (8 April) the ECJ found that the directive was in breach of the right to respect for private life and the fundamental right to the protection of personal data.

"By requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data," the court in Luxembourg ruled.

But the Court did not rule that data retention itself is illegal, rather that the requirements in the EU legislation were excessive.

"The Court is of the opinion that, by adopting the Data Retention Directive, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality."

The judgement should not come as that much of a surprise, since it is in line with an opinion published in December by the ECJ's advocate general Pedro Cruz Villalon, which recommended the directive be overturned. Cruz Villalon also stated that the directive breached the Charter of Fundamental Rights.

What does it mean?

The ruling means that, in legal terms, the directive is null and void. There is no EU legislation on data retention.

"We are going back as if it never existed," a Commission source told EUobserver.

EU home affairs commissioner, Cecilia Malmstroem, said that the ruling brought "clarity and confirms the critical conclusions in terms of proportionality of the Commission's evaluation report of 2011" on the implementation of the directive.

Does that mean that the 26 national laws are invalid?

No, they will remain in place. The Court ruling does not immediately affect the rights of an EU government to demand that telecoms firms retain phone and email data.

National governments could face a flood of legal challenges against their own laws from citizens claiming breaches of privacy. But claimants would have to prove that the national laws were in breach of the Charter, which applies to all EU and national law across the bloc.

Governments face two options: to keep to their existing laws and wait for possible legal actions; or to re-write their national laws.

Meanwhile, telecoms companies could also press legal challenges relating to the length of time they are expected to retain data for under national law.

What happens next?

The European Commission was not eager to defend the legislation following the ECJ ruling.

"We all know this is not Malmstroem's favourite directive," a Commission source told EUobserver, adding that the bill had been drafted in response to "a very specific situation . . . and it was clearly done in a hurry".

Commission officials have indicated that the EU's executive arm will take "several months" to assess the impact of the judgement and will scrap its plans to modify the directive.

"There are now no EU rules on data retention . . . so our plan to revise it cannot happen any more," one official told this website. Instead, the Commission is likely to table a new legislative proposal. However, this will not be proposed to MEPs and ministers until after the European elections in May.

But since the Court did not conclude that data retention itself is illegitimate, a future EU law is likely to focus on striking a better balance between the right to privacy and data protection and national security. This will probably mean reduced retention periods and tighter restrictions on government and third party access to data.

What about the countries who refused to implement the directive?

The European Commission had begun infringement proceedings against Belgium and Germany over their refusal to implement the directive. In Germany's case, the EU executive had recommended that it be fined more than €300,000 per day that it had failed to apply the legislation.

The Court ruling does not automatically void these proceedings, but officials have indicated that the 28 commissioners will discuss the end of the two legal actions at their next meeting.

EU court scraps data surveillance law

The EU court has struck down a law on internet and phone surveillance, saying loose wording opens the door to untoward snooping.

MEPs want to scrap US data agreements

Frustrated MEPs want the EU to scrap data protection agreements with the US as they mount pressure on the member states to start negotiations on the EU data protection reforms.

Latest News

  1. Report: Tax richest 0.5%, raise €213bn for EU coffers
  2. EU aid for Africa risks violating spending rules, Oxfam says
  3. Activists push €40bn fossil subsidies into Dutch-election spotlight
  4. Europe must Trump-proof its Ukraine arms supplies
  5. Antifascism and fascism are opposites, whatever elites say
  6. MEPs back Germany's Buch to lead ECB supervisory arm
  7. Russia to blame for Azerbaijan attack, EU says
  8. Fresh dispute may delay EU-wide migration reforms

Stakeholders' Highlights

  1. International Medical Devices Regulators Forum (IMDRF)Join regulators, industry & healthcare experts at the 24th IMDRF session, September 25-26, Berlin. Register by 20 Sept to join in person or online.
  2. UNOPSUNOPS begins works under EU-funded project to repair schools in Ukraine
  3. Georgia Ministry of Foreign AffairsGeorgia effectively prevents sanctions evasion against Russia – confirm EU, UK, USA
  4. International Medical Devices Regulators Forum (IMDRF)Join regulators & industry experts at the 24th IMDRF session- Berlin September 25-26. Register early for discounted hotel rates
  5. Nordic Council of MinistersGlobal interest in the new Nordic Nutrition Recommendations – here are the speakers for the launch
  6. Nordic Council of Ministers20 June: Launch of the new Nordic Nutrition Recommendations

Stakeholders' Highlights

  1. International Sustainable Finance CentreJoin CEE Sustainable Finance Summit, 15 – 19 May 2023, high-level event for finance & business
  2. ICLEISeven actionable measures to make food procurement in Europe more sustainable
  3. World BankWorld Bank Report Highlights Role of Human Development for a Successful Green Transition in Europe
  4. Nordic Council of MinistersNordic summit to step up the fight against food loss and waste
  5. Nordic Council of MinistersThink-tank: Strengthen co-operation around tech giants’ influence in the Nordics
  6. EFBWWEFBWW calls for the EC to stop exploitation in subcontracting chains

Join EUobserver

Support quality EU news

Join us